Content Security Policy (CSP)

CSP is a great feature of modern browser, it is 100% supported by dappy. A major difference though is that the web servers have no control over it, the CSP is not defined by the HTTP headers on the first top level navigation request, neither are they defined by html meta tags.

CSP rules are defined at the name system level, making it rock solid and impossible to change by any MITM attack or server intrusion.

See Mozilla's documentation on CSP

Our implementation

An example of a value csp in the configuration for a record mysite:

{
  "values": [
    ...,
    {
      "kind": "csp",
      "value": ""default-src 'self' mysite; script-src https://mysite; img-src https://mysite https://mysecondsite"
    }
  ]
}

Last updated